EUIST

Once upon a time we believed that the contents of RAM is gone as soon as one turns off the power.

Makers of software such as ssh-agent, PGP software and hard disk encryption software rely on encryption keys in RAM that get erased when the system is turned off.

When I came across this information I thought you might be interested to hear a bit more about this research project and the paper the researchers produced.

The results are devastating for people trying to protect data against hackers and criminals, see for instance:

- CyTRAP Labs’ disaster monitor: supposed tax-evasion scandal in Liechtenstein is a classical case of data security breach

The abstract of the paper is as follows:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images.
We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount attacks on popular disk encryption systems – BitLocker, FileVault, dm-crypt, and TrueCrypt – using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques.
We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

New Research Result: Cold Boot Attacks on Disk Encryption (blog entry from Bob Felton)

Lest we remember: cold boot attacks on encryption keys

What does it mean to you?

It gets worse than what the abstract’s dry language describes. Remember, the researchers are analyzing the contents of RAM, not the contents of the hard drive.

Meaning

If you use an encrypted file-system and want privacy and security when you are not using your computer, you need to shut down your computer and wait a few minutes for the RAM contents to vanish.But a better option is to store all your sensitive files on an encrypted storage volume like an encrypted disk and unmount it as soon as you are done. But be careful, encryption keys are vulnerable when stored in memory. And these are since you had to encrypt these sensitive files when storing them on the external hard-drive—-hence, the keys are in the computer’s RAM.

So shutting down the system, zeroing memory on boot, and unmounting encrypted volumes are some options to protect one’s data against this type of attack. The paper suggests others, including

- limiting booting from network or removable drives,

- better methods of putting a computer to sleep (perhaps involving encrypting the portions of memory with the keys to the file system),

- recomputing keys when they’re needed to avoid keeping copies in memory, and

- hardware changes such as tamperproof or encrypting RAM.

WARNING

the researchers describe how they can extract the contents of a computer’s memory and discover the secret encryption key used to scramble files. One person put these claims to a test and gave the researchers his MacBook with FileVault. You want to see what happened, check out their slideshow.

xxxxxxxxxxxxxx

MORE INFOS THAT RELATE TO THIS MATTER

- 5 data security breach regulation – judge is spelling out the exact costs for TJX

- CyTRAP Labs checklist – 7 lessons learned from the disastrous UK data loss – electronic patient records

- Apple’s iTunes DRM system reverse engineered or cracked

============>